bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6933e6d70092991db71f37b30786be220468c768
crewli/api/app/Http/Resources/FormBuilder/PublicFormSchemaResource.php
bert.hausmans b688ec26f0 feat(scope): declarative FK-chain strategy for OrganisationScope, register on 14 models per addendum Q2 + D-03/D-04 
Refactors OrganisationScope to support a declarative, recursive FK-chain
resolver and registers the scope on 14 models that previously relied on
caller-discipline for tenant isolation.

Scope resolver (app/Models/Scopes/OrganisationScope.php):
Models now declare their strategy via:

    public static function tenantScopeStrategy(): array
    {
        return ['column' => 'organisation_id'];           // terminal
        // OR
        return ['via' => FormSchema::class, 'fk' => 'form_schema_id'];
    }

The apply() path walks the chain recursively, building whereIn subqueries
against parent models until it hits a column-based strategy. Max 3 hops;
deeper chains raise App\Exceptions\TenantScopeResolutionException. The
walker accepts BOTH the new tenantScopeStrategy() and the legacy
$organisationScopeColumn property at every hop — so PersonIdentityMatch
can chain via Person, which still uses the legacy event_id bridge, without
requiring Person/Event/Shift/FestivalSection/TimeSlot to migrate to the
new convention in this work package. That migration is a separate
backlog ticket — explicitly scope-controlled per the addendum.

Fourteen newly-scoped models:

  Form-builder child models (D-03):
    FormSchemaSection             via FormSchema                    (1 hop)
    FormField                     via FormSchema                    (1 hop)
    FormSubmission                column organisation_id (Commit 2)
    FormValue                     via FormSubmission                (1 hop)
    FormValueOption               via FormValue -> FormSubmission   (2 hops)
    FormSubmissionSectionStatus   via FormSubmission                (1 hop)
    FormSubmissionDelegation      via FormSubmission                (1 hop)
    FormSchemaWebhook             via FormSchema                    (1 hop)
    FormWebhookDelivery           via FormSubmission                (1 hop)

  Event-data models (D-04 event-data subset):
    ShiftAssignment               via Shift (legacy festival_section_id)
    ShiftWaitlist                 via Shift
    VolunteerAvailability         via TimeSlot (legacy event_id)
    PersonSectionPreference       via FestivalSection (legacy event_id)
    PersonIdentityMatch           via Person (legacy event_id)

Note — task directive specified VolunteerAvailability "via: Event, fk: event_id",
but the table has no event_id column (only person_id + time_slot_id).
Rerouted via TimeSlot, which carries the legacy event_id bridge; same
end result, correct FK.

Security-relevant callers made explicit:
  PublicFormSchemaResource::toArray() now eagerly loads fields + sections
  with withoutGlobalScope(OrganisationScope::class). Prior to this commit
  the public form endpoint silently relied on those relations being
  unscoped. The PublicFormCrossOrgScopeTest pre-existing assertions still
  pass — behaviour unchanged, intent now explicit.

Test fix: FormSchemaApiTest::test_publish_sets_is_published_true was
flaky (factory randomly picked EVENT_REGISTRATION which requires
bindings). Pinned to USER_PROFILE for determinism; PurposeSchemaLifecycleTest
covers the binding-enforcement path.

Test flip: MultiTenancyTest::test_form_schema_webhook_is_not_globally_scoped
renamed to is_scoped_via_fk_chain and asserts the new behaviour: scope
filters by route org, withoutGlobalScope() still exposes cross-org rows.
The test's original purpose ("pin current behaviour so a future refactor
is intentional") is now satisfied by Commit 3 being that intentional
refactor.

Docs:
  SCHEMA.md §3.5.11 Rule 5 — tenantScopeStrategy() convention documented;
    the 14 newly-scoped models enumerated; link to addendum Q2.
  ARCH-FORM-BUILDER.md §4.14 — new section "Multi-tenancy scope chain"
    with the hop-count table for all 14 chains and the withoutGlobalScope
    pattern for cross-org callers.

Tests: tests/Feature/MultiTenancy/ScopeLeakageTest.php — two orgs with
fully-populated record chains down to each of the 14 leaf models; asserts
scoped queries never cross, withoutGlobalScope still does. Plus: three-
hop chain (FormValueOption) explicitly exercised, legacy-column bridge
verified, over-deep chain raises TenantScopeResolutionException. 16 tests /
31 new assertions. Full suite: 1000 passed (2706 assertions).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 17:08:33 +02:00

163 lines
6.1 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace App\Http\Resources\FormBuilder;
use App\Enums\FormBuilder\FormFieldType;
use App\Models\FormBuilder\FormField;
use App\Models\FormBuilder\FormSchema;
use App\Models\PersonTag;
use App\Models\Scopes\OrganisationScope;
use Illuminate\Http\Request;
use Illuminate\Http\Resources\Json\JsonResource;
/**
* Public-facing schema response for /public/forms/{public_token}. Strictly
* limited per ARCH §10: only fields with is_portal_visible=true AND
* is_admin_only=false; no PII hints, no role_restrictions bleed, no
* submissions_count.
*
* Carries TAG_PICKER `available_tags` so the portal can render the picker
* without a second request (S2c D1). Also surfaces `version` + `opened_at`
* so the portal can later detect schema drift at submit time (D5).
*
* @mixin FormSchema
*/
final class PublicFormSchemaResource extends JsonResource
{
/**
* @return array<string, mixed>
*/
public function toArray(Request $request): array
{
// Public endpoints must resolve cross-org — skip OrganisationScope
// on the FormField / FormSchemaSection relations (both registered
// via addendum Q2 / WS-4 Commit 3). The schema-level tenant check
// already happens at PublicFormTokenResolver::resolve().
$this->resource->loadMissing([
'fields' => fn ($q) => $q->withoutGlobalScope(OrganisationScope::class),
'sections' => fn ($q) => $q->withoutGlobalScope(OrganisationScope::class),
]);
$visibleFields = $this->fields
->filter(fn ($f) => (bool) $f->is_portal_visible && ! (bool) $f->is_admin_only)
->values();
$organisationId = $this->organisation_id;
$availableTagsByCategory = $this->availableTagsByCategory($organisationId, $visibleFields);
return [
'id' => $this->id,
'name' => $this->name,
'slug' => $this->slug,
'purpose' => $this->purpose instanceof \BackedEnum ? $this->purpose->value : $this->purpose,
'description' => $this->description,
'locale' => $this->locale,
'version' => (int) $this->version,
'opened_at' => now()->toIso8601String(),
'consent_version' => $this->consent_version,
'submission_deadline' => optional($this->submission_deadline)->toIso8601String(),
'section_level_submit' => (bool) $this->section_level_submit,
'sections' => $this->sections->map(fn ($s) => [
'id' => $s->id,
'slug' => $s->slug,
'name' => $s->name,
'description' => $s->description,
'sort_order' => (int) $s->sort_order,
])->values()->all(),
'fields' => $visibleFields->map(function (FormField $f) use ($availableTagsByCategory): array {
$isTagPicker = $f->field_type === FormFieldType::TAG_PICKER->value;
return [
'id' => $f->id,
'slug' => $f->slug,
'field_type' => $f->field_type,
'label' => $f->label,
'help_text' => $f->help_text,
'options' => is_array($f->options) ? array_values($f->options) : null,
'available_tags' => $isTagPicker
? $this->tagsForField($f, $availableTagsByCategory)
: null,
'validation_rules' => $f->validation_rules,
'is_required' => (bool) $f->is_required,
'display_width' => $f->display_width instanceof \BackedEnum ? $f->display_width->value : $f->display_width,
'conditional_logic' => $f->conditional_logic,
'sort_order' => (int) $f->sort_order,
'form_schema_section_id' => $f->form_schema_section_id,
];
})->values()->all(),
];
}
/**
* Prefetch every active person_tag for the org once and bucket by
* category so TAG_PICKER fields can apply their own category filter
* without N+1 queries.
*
* @param \Illuminate\Support\Collection<int, FormField> $visibleFields
* @return array<string, array<int, array<string, string>>> categoryKey → rows
*/
private function availableTagsByCategory(?string $organisationId, $visibleFields): array
{
if ($organisationId === null) {
return [];
}
$hasTagPicker = $visibleFields->contains(fn ($f) => $f->field_type === FormFieldType::TAG_PICKER->value);
if (! $hasTagPicker) {
return [];
}
// Named-scope bypass only — don't unintentionally strip future
// soft-delete or is_active scopes if any land later.
$rows = PersonTag::query()
->withoutGlobalScope(OrganisationScope::class)
->where('organisation_id', $organisationId)
->where('is_active', true)
->orderBy('sort_order')
->orderBy('name')
->get(['id', 'name', 'category']);
$grouped = [];
foreach ($rows as $tag) {
$category = (string) ($tag->category ?? '');
$grouped[$category][] = [
'id' => (string) $tag->id,
'name' => (string) $tag->name,
'category' => $category,
];
}
return $grouped;
}
/**
* @param array<string, array<int, array<string, string>>> $byCategory
* @return array<int, array<string, string>>
*/
private function tagsForField(FormField $field, array $byCategory): array
{
$filter = (array) (($field->validation_rules['tag_categories'] ?? null) ?: []);
if ($filter === []) {
$out = [];
foreach ($byCategory as $rows) {
foreach ($rows as $row) {
$out[] = $row;
}
}
return $out;
}
$out = [];
foreach ($filter as $category) {
foreach ($byCategory[(string) $category] ?? [] as $row) {
$out[] = $row;
}
}
return $out;
}
}
Reference in New Issue View Git Blame Copy Permalink